Title | Lab 10 Part 2 Questions - Dr. Smith |
---|---|
Author | Nathan Hill |
Course | Cyber Security |
Institution | University of Akron |
Pages | 2 |
File Size | 46.8 KB |
File Type | |
Total Downloads | 106 |
Total Views | 160 |
Dr. Smith ...
Nathan Hill Cyber Hacking and Data Recovery Professor Smith 20 April 2017 Lab 10 Part 2 Questions B1- This is the packet that caused the alert because it matched due to the hexadecimal number matching the decimal through conversion B2- The IP number given through # tcpdump -nnvr tcpdump.log ‘ip[4:2] = 53309’ matches the IP address in the Snort alert file. B3- The sequence and acknowledge numbers for the tcpdump file and snort alert are the same; they match. However, the snort alert is in hexadecimal and the tcpdump file is in decimals. Through conversion 0x1B2C3517 = 455882007 and 0x9F9E0666 = 2677933670. C1- The packet contains the header of a link type EN10 MB form the tcpdump.log file. C2- The JPEG Image found appears to be 635 bytes in size. D1- Shellcode x86 NOOP was triggered because a rule was broken. That rule was Snort ID (SID) 10000648, which is a local rule. D2- The name of the file where the matching rule is found is (msg:”SHELLCODE x86 NOOP”; content : “ | 90 90 90 90 90 90 90 90 90 90 90 90 90 90|” ; classtype : shellcode – detect; sid : 10000648; rev : 2; E1- The series of bytes set to 0x90 is 2077 6974 6820 5375 686f 7369 6e2d 5061 .with.SuhosinPa...